Fundamental flaws uncovered in Mega's encryption scheme — show the service can read your data
MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files — the researchers wrote on a website. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice, which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks — showcasing their practicality and exploitability.
https://arstechnica.com/information-technology/2022/06/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise/
#mega #vulnerability #cloud #data
MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files — the researchers wrote on a website. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice, which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks — showcasing their practicality and exploitability.
https://arstechnica.com/information-technology/2022/06/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise/
#mega #vulnerability #cloud #data
Ars Technica
Mega says it can’t decrypt your files. New POC exploit shows otherwise
Fundamental flaws uncovered in Mega's encryption scheme show service can read your data.
MEGA Security Update
https://blog.mega.io/mega-security-update
Today, MEGA has released software updates that fix a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. Further updates addressing less severe identified issues will follow in the near future. MEGA is not aware of any user accounts being compromised by these vulnerabilities.
Who is potentially affected?
Customers who have logged into their MEGA account at least 512 times (the more, the higher the exposure). Note that resuming an existing session does not count as a login. While all MEGA client products use permanent sessions by default, some third-party clients such as Rclone do not, so their users may be exposed.
Who could have exploited the vulnerability?
Very few: An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA.
What could have been the outcome?
Once a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files and chats could have been decryptable. Files in the cloud drive could have been successively decrypted during subsequent logins. Furthermore, files could have been placed in the account that appear to have been uploaded by the account holder (a “framing” attack).
#mega #cloud #vulnerability
https://blog.mega.io/mega-security-update
Today, MEGA has released software updates that fix a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. Further updates addressing less severe identified issues will follow in the near future. MEGA is not aware of any user accounts being compromised by these vulnerabilities.
Who is potentially affected?
Customers who have logged into their MEGA account at least 512 times (the more, the higher the exposure). Note that resuming an existing session does not count as a login. While all MEGA client products use permanent sessions by default, some third-party clients such as Rclone do not, so their users may be exposed.
Who could have exploited the vulnerability?
Very few: An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA.
What could have been the outcome?
Once a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files and chats could have been decryptable. Files in the cloud drive could have been successively decrypted during subsequent logins. Furthermore, files could have been placed in the account that appear to have been uploaded by the account holder (a “framing” attack).
#mega #cloud #vulnerability
Mega Blog
MEGA Security Update - Mega Blog
Company and product updates of MEGA Cloud storage. Access the world's most trusted, protected cloud storage.